Project risk management (1)

“Risk is like fire: if controlled it will help you; if uncontrolled: it will rise up and destroy you” – Theodore Roosevelt

“Playing it safe is the riskiest choice you can ever make” – Sarah Ban Breathnach

“You miss one hundred percent of the shots you never take” – Wayne Gretsky

Risk, as defined by the Merriam Webster Dictionary, is the possibility that something bad or unpleasant will happen. Risk for the most part has been part of human history and existence. Humans have taken all kinds of risks since the beginning of time and will continue to do so. All major advancements of our civilisation have been due to someone somewhere taking risks. Choice of careers, wives or husbands, when to go out and where to live are fraught with risks. Given that risks abound in almost everything that we do, it is imperative we need to know more about how those envisaged risks are managed.

Wikipedia defines risk management as the identification, assessment, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. Risk management’s objective is to ensure uncertainties do not deflect the individual, businesses and government programmes and projects from their envisioned goals. What risk management seeks to achieve are that opportunities (positive events) are enhanced while threats (negative events) are minimised.

There is no universally accepted way to risk management as the processes employed vary from one professional discipline to another. For instance, the construction industry, which is beset by risks, with the resultant effect of overwhelmingly poor and unacceptable performance, has its own way of managing risks when compared to the banking or the manufacturing industry. The following factors are important when evaluating and analysing risks – the probability that an event will occur, the range of possible outcomes, time of occurrence and frequency. Every organisation has a risk appetite, forbearance, aversion and threshold levels in terms of cost, value, client fulfilment, time and other intangibles. There are a lot of inputs into the risk management effort and thought process such as project background info, organisational process assets, enterprise environmental factors, project charter, project cost, schedule, human resource, quality, scope and procurement management plans, risk register, network diagram, work performance data and risk management plan.

Sources of risks

There are two major sources of risks: internal and external. The external risks category can be broken down into two sub-categories – the unpredictable and predictable risks. The unpredictable risks can be natural disasters (hurricanes, tornados, earthquakes, freezing temperatures), sabotage or vandalism. In the predictable risks sub-category are government regulations, market risks, contractors and sub-contractors, environmental risks, inflation and exchange rate risks.

Internal risks consist of inadequate and shoddy planning, sloppy programme and project management, scope and scope changes, negative stakeholder, schedule, cost and quality. Other sources of risks are legal (labour issues, litigation and breach of contract) and technology issues (software and software applications).

One of the characteristics of risk sources is that they comprise one or more basic drivers that cause risks events to actually happen during project execution and it serves as a roadmap to risk ownership and identification.

Risk management process

The risk management process starts with the development of the risk management plan and it also comprises, and not limited to, the following areas, namely, risk identification, qualitative risk analysis, quantitative risk analysis, risk response and risk monitoring and control. Before kicking off the risk management process, each organisation or government department should have come up with a set of certain criteria and level of risks that they are comfortable with such as thresholds, appetites, tolerances and aversion levels. The risk management process should be incorporated with the procedures for design and the development of the cost and schedule baselines and updates. A very well-managed risk management process should result in a decrease to the project estimated cost and schedule.

Risk management plan

For any endeavour to be embarked upon, planning is very important. Proper planning makes execution and implementation easier. So, the risk management process needs to be well planned, executed, monitored and controlled. The risk management plan document should contain the ways and manner risk management is going to be effectively managed throughout the lifecycle of the project.

All stakeholders, right from the sponsor and the senior management to the rank and file, should be involved in the development of the risk management plan. High level potential risks are first determined depending on the size and complexity of the project with appropriate personnel assigned to monitor such risks. Time and resources to be spent on individual risks, which are based on the needs of the project, are determined and managed during the process. Organisation process assets in the areas of risk management are also used in drawing up the management plan.

Outputs of the risk management plan include the methodology to be used, roles and responsibilities of each stakeholder, risk management budget, timing for each risk, sources of the risks, types of risk, risk categories (external or internal), definitions of probability of impact, stakeholder preferences, risk reporting and tracking. The quality and the depth of the risk management plan will govern the effectiveness of the risk identification and analysis.

Risk identification

The process of risk identification, which is iterative, starts very early in the project management lifecycle, specifically during the initiating and the planning stages. It is the most common steps taken in risk management. A wide range of factors are considered which include both negative risks (threats) and positive risks (opportunities). For EPC projects, risk identification focuses more on activities and events that can have negative impact on performance. Positive risks or outcomes allow the project team to improve performance, develop new opportunities and in some cases to lower costs.

Risk identification involves ways of coming up with list of anticipated risks. The ways includes but not limited to SWOT analysis (Strengths, Weaknesses, Opportunities and Threats), information gathering – brainstorming, Delphi technique, interviewing and root cause analysis, checklist analysis and assumption analysis. 

Ayodele Akingbade